Protocol for transmitting a plurality of multiple exchange logic flow of command/response pairs on a single physical exhange channel between master and slave and corresponding system for controlling and monitoring execution of applets

ABSTRACT

The invention concerns a protocol for transmitting multiple logic exchange flow of command/response pairs on a single physical exchange channel between a master and slave transmitter/receiver, and a corresponding system for controlling and monitoring execution of applets. For an existing active base logic flow (S), the protocol consists in selecting (B) said base flow as reference logic flow, generating a set of concurrent logic flows (|CLF X |). The concurent logic flows consist of successive elementary packets segmenting (D) the pairs of command/response. The exchange is initialised and continued by the master transceiver on the basis of specific commands, and the segmentation by the slave transceiver on the basis of specific responses transmitted on the reference flow. The invention is in particular useful for controlling and monitoring

[0001] The present invention pertains to a protocol for the transmissionof logical flows for multiple exchange of command/response pairs on asingle physical exchange channel, between a master transceiver and aslave transceiver, and to the applications of such a protocol, inparticular to the implementation of a system for tracking and monitoringexecution, or debugging, of applets installed on a microprocessor card.

[0002] The protocols for exchanging data or information between masterand slave transceivers are currently of very considerable interest, inso far as the protocols make it possible to effect a reliable andperfectly stable exchange of data, and hence of information, between amaster element, endowed with considerable computational and processingcapabilities, and a slave element, whose computational and processingcapabilities, related to the storage capabilities, are currently muchlower.

[0003] This is the case in particular for computer systems consisting ofcard reader (CAD)—microprocessor card, chip card, pairs also known asembedded systems, for which the ISO 7816 standard defines two protocolsfor communication between chip card and CAD reader.

[0004] More specifically, these two protocols are defined by theparameters T=0 and T=1 and each correspond to a “half-duplex” protocol,just one of the two participants, the card reader, respectively the chipcard, being able at a given instant to transmit data to the otherparticipant.

[0005] Following the insertion of the card into the card reader, thesupply to the card is undertaken by the card reader and the dataexchange thus occurs on a single physical channel, between the mastertransceiver, the CAD reader, and the slave transceiver, the chip card.The information unit transmitted is called an APDU standing forApplication Protocol Data Unit.

[0006] In the aforesaid protocols, known from the prior art, onedistinguishes between the command APDUs, or C-APDU, and the responseAPDUs or R-APDU.

[0007] An information exchange session consists of one or more APDUexchanges. Thus, an APDU exchange consists of an exchange of aC-APDU/R-APDU command/response pair, always initiated by the mastertransceiver element, which dispatches a C-APDU to which the slavetransceiver responds through an R-APDU. For the duration of theexchange, the master element remains disabled, while awaiting theresponse, the exchanges of command/response pairs therefore involvingthe successive transfer of transmission initiative, control, between themaster transceiver, respectively the slave transceiver, and vice versa.

[0008] In the worst case, the sole initiative, distinct from thissuccessive transfer, that the master transceiver, the CAD reader, isliable to take is to interrupt the entire exchange session by cuttingthe power supply to the slave transceiver, the chip card.

[0009] Constant progress in the physical processes for etchingintegrated circuits and, consequently, in the capabilities forcomputation and for processing and for storage in a given volume or areaof silicon have however prompted, recently, the appearance of slavetransceivers, with multiple functionalities. This is the case inparticular with multi-application chip cards. Certain chip cards may,for example, incorporate several applications with which the CAD readercan seek to communicate independently. Specifically, whereas CAD readersexhibit no prohibitive limitations of capacity, several applications maybe installed in this type of CAD reader, such as for example, automaticticket dispensers set up in banks or GSM mobile telephony terminals, thesystem consisting of a slave transceiver, multi-application chip card,is then confronted with the multiple exchange of information, bycommand/response pairs, on a single physical channel, betweensubstantially independent applications.

[0010] Certain chip cards may in fact incorporate several file systems,several applets or services set up on the latter. GSM cards, inparticular, serve, both to cater for the authentication of thesubscriber, and, as portable unit, embedded system, for the execution ofapplets.

[0011] With this aim, section 5.5 of the ISO 7816-4 standard defines theconcept of logical channel. These logical channels make it possible todecouple the sessions of APDU exchanges bound for the variousparticipants, applets or services, present on the chip card. Thestandardized process proposed is very simple, a chip card being able tomanage up to four logical channels numbered from 0 to 3. These logicalchannels may be opened respectively closed by the manage channelstandard command, as defined in section 6.16 of the ISO 7816-4 standard.Next, the index number of the destination logical channel for a C-APDUcommand is coded in the two low-order bits of the class code (CLA) ofthe ADPU.

[0012] Thus, the various logical channels defined by the ISO 7816-4standard are therefore logically decoupled, but the APDU exchanges onthe single physical exchange channel remain disabling, both for the CADreader and its various applications and also for the various applets orservices which can be executed on the chip card, the conflict liable tobe generated by the simultaneous multiple presence of command/responsepairs relating to distinct logical channels not being resolvedspecifically. See in particular the provisions of paragraph 4, section5.5.1 of the ISO 7816-4 standard, according to which the launching ofcommand/response pairs must be terminated before the launching of thenext command/response pair, the commands and the responses having not tobe nested on several logical channels, a single logical channel havingto be active between the reception of a command and the dispatching ofthe corresponding response.

[0013] The object of the present invention is to remedy the drawbacks ofthe protocols for exchanging data by command/response pairs of the priorart between master transceiver and slave transceiver by virtue of theelimination of the limitation imposed on the multiple logical channels.

[0014] Another object of the present invention is the formulation of aprotocol for the transmission of a plurality of logical flows formultiple exchange of command/response pairs on a single physicalexchange channel, between a master transceiver and a slave transceiver,by virtue of the implementation of concurrent logical channels, eachconcurrent logical channel allowing the independent exchanging ofcommand/response pairs, it being possible however, for severalcommand/response pairs to be active simultaneously on the various openconcurrent logical channels.

[0015] In particular, another object of the present invention is theformulation of a protocol for the transmission of a plurality of logicalflows for the multiple exchange of command/response pairs on a singlephysical exchange channel, between a master transceiver and a slavetransceiver, in which the master transceiver, such as a CAD reader, isable to initiate an exchange of command/response pairs, APDU, on anotherconcurrent logical channel, while an exchange of command/response pairsis already in progress on an already active concurrent channel, variousapplications connected to the master transceiver, the CAD reader, usingat least one application managed by the slave transceiver, applet orservice installed in the chip card, consequently being executedindependently of one another, in the absence of any risk of conflict ofexecution.

[0016] Reciprocally, another object of the present invention is aprotocol for the transmission of a plurality of logical flows formultiple exchange of command/response pairs on a single physicalexchange channel, between a master transceiver and a slave transceiver,in which different command/response pairs can be exchanged on distinctconcurrent logical channels linked to various applications managed bythe slave transceiver, applications such as the various applets orservices installed on a multi-application chip card, these applications,by virtue of the implementation of the protocol which is the subject ofthe present invention thus executing simultaneously and independently.

[0017] Another object of the present invention is also a protocol forthe transmission of a plurality of logical flows for multiple exchangeof command/response pairs on a single physical exchange channel, betweena master transceiver and a slave transceiver, in which each of theconcurrent logical channels is closed on the initiative solely of themaster transceiver, including in the case of an exchange ofcommand/response pairs in progress.

[0018] Another object of the present invention is also a protocol forthe transmission of a plurality of logical flows for multiple exchangeof command/response pairs on a single physical exchange channel, betweena master transceiver and a slave transceiver exchanging command/responsepairs on base logical channels, command/response pairs possibly alsobeing exchanged on concurrent logical channels between this mastertransceiver and this slave transceiver, the command/response pairsconstituting base logical flows conveyed by the base logical channels,respectively concurrent logical flows, conveyed by the concurrentlogical channels, these logical flows cohabiting so as to benefit fromthe procedure for exchanging command/response pairs on the singlephysical exchange channel, in the absence of any conflict.

[0019] Another object of the present invention is finally, when themaster transceiver consists of a CAD reader and the slave transceiverconsists of a chip card, a protocol for the transmission of a pluralityof logical flows for multiple exchange of command/response pairs whichis fully compatible with the specifications of the ISO 7816 standard.

[0020] The protocol for the transmission of a plurality of logical flowsfor multiple exchange of command/response pairs on a single physicalexchange channel between a master transceiver and a slave transceiver,the subject of the invention, pertains to logical flows comprising atleast one base logical flow, initiated by the master transceiver,subject to the same master/slave relation as the single physicalexchange channel, the master respectively slave transceiver allowing theexecution of at least one software application.

[0021] It is noteworthy in that it consists in generating in the one ofthe base logical flows taken as reference logical flow, a set ofconcurrent logical flows, each concurrent logical flow being formed bysuccessive elementary packets segmenting the command/response pairs. Thesuccessive elementary packets forming the set of concurrent logicalflows are transmitted on the reference logical flow, two concurrentlogical flows of this set allowing the independent and substantiallysimultaneous transmission of distinct command/response pairs.

[0022] The initiation and the continuation of any exchange ofcommand/response pairs is carried out on the initiative of the mastertransceiver on the basis of specific commands transmitted on thisreference logical flow and the segmentation into successive elementarypackets being carried out on the initiative of specific responsestransmitted in response to these specific commands on this referenceflow. This allows, on the one hand, the exchange of independent andsubstantially simultaneous command/response pairs between at least onepair of applications of the master, respectively slave, transceiver,and, on the other hand, the exchange of priority command/response pairson a different base logical flow from the logical flow taken asreference logical flow on the physical exchange channel.

[0023] The protocol for the transmission of a plurality of logical flowsfor multiple exchange of command/response pairs on a single physicalexchange channel between a master transceiver, respectively slavetransceiver, and a system for tracking and monitoring execution ofapplets installed on a computer system, such as an embedded computersystem implementing such a protocol, which are the subject of thepresent invention, will be better understood on reading the descriptionand on looking at the drawings hereinbelow in which:

[0024]FIG. 1 represents, by way of illustration, a flow chart of theimplementation of the essential steps of the protocol, which is thesubject of the present invention, allowing execution of the protocol forthe transmission of a plurality of logical flows for multiple exchangeof command/response pairs on a single physical exchange channel betweena master transceiver and a slave transceiver in the presence of a singlebase logical flow;

[0025]FIG. 1b represents, by way of illustration, a flow chart of theimplementation of the essential steps of the protocol, which is thesubject of the present invention, allowing the execution of the protocolfor the transmission of a plurality of logical flows for multipleexchange of command/response pairs on a single physical exchange channelbetween a master transceiver and a slave transceiver in the presence ofa plurality of base logical flows;

[0026]FIG. 2a represents, by way of illustration, a mode ofimplementation of an exchange on a base logical flow, taken as the casemay be as reference logical flow;

[0027]FIG. 2b represents, by way of illustration, the procedure forchopping into successive packets an exchange by a concurrent logicalflow on the initiative of the slave transceiver;

[0028]FIG. 2c represents, by way of illustration, an interleaving of thesuccessive packets of two exchanges by two distinct concurrent logicalflows between the master transceiver and the slave transceiver, thechopping of each of the concurrent flows into successive packets beingperformed on the initiative of the slave transceiver in the same manneras in the case of FIG. 2b;

[0029]FIG. 2d represents, by way of illustration, a procedure forprocessing an exchange by concurrent logical flow during the procedurefor long processing of another exchange by concurrent logical flow;

[0030]FIG. 3a represents a functional diagram of a computer system fortracking and monitoring execution of applets installed on an embeddedcomputer system implementing the protocol for the transmission of aplurality of logical flows for multiple exchange of command/responsepairs on a single physical exchange channel between a master transceiverand a slave transceiver, which is the subject of the present invention,the master transceiver element being constituted by a pilot module and aCAD terminal and the slave transceiver element being constituted by thisembedded computer system, such as a chip card, the single physicalexchange channel consisting of a link satisfying one of the ISO 7816protocols;

[0031]FIG. 3b represents, by way of illustration, a diagram of thelogical links between a specific agent module for tracking andmonitoring execution of the execution automaton installed in theembedded computer system, the operating system of this embeddedcomputing system, the input/output functions (logical I/O functionsconstituted by APDUS), the functions for monitoring and trackingexecution of the execution automaton, when, in a nonlimiting embodiment,the execution automaton is constituted by a virtual machine with whichan applications interfacing library (API) is associated;

[0032]FIG. 4a represents a time chart of the exchanges carried outbetween the various elements of the computer system for tracking andmonitoring applets, which is the subject of the present invention, asrepresented in FIGS. 3a, 3 b in non-debugged mode, the debuggingfunction not being activated, this system behaving substantially, inthis case, as a CAD reader associated with a multi-application chip cardof the prior art;

[0033]FIG. 4b represents a time chart of the exchanges carried outbetween the various elements of the computer system for tracking andmonitoring the execution of applets, which is the subject of the presentinvention, as represented in FIGS. 3a, 3 b in debugged mode, thedebugging function being activated;

[0034]FIG. 4c represents a time chart of the exchanges carried outbetween the various elements of the computer system for tracking andmonitoring applets, which is the subject of the present invention, asrepresented in FIGS. 3a, 3 b and 4 b when the virtual machine reaches astopping point state, also known as Breakpoint hit.

[0035] A more detailed description of the protocol for the transmissionof a plurality of logical flows for multiple exchange ofcommand/response pairs on a single physical exchange channel, between amaster transceiver and a slave transceiver, in accordance with thesubject of the present invention, will now be given with FIG. 1a and thefollowing figures.

[0036] Within the framework of the present description, it is recalledthat a logical flow consists of an exchange of multiple command/responsepairs on a logical channel by way of the single physical exchange linkbetween master transceiver and slave transceiver.

[0037] Generally, it is recalled that the protocol, which is the subjectof the present invention, can be implemented between any mastertransceiver and any slave transceiver which are linked by a half duplexlink allowing the exchange of command/response pairs, the mastertransceiver being connected to one application from a set ofapplications and the slave transceiver allowing the execution of atleast one application from a set of applications or of services. Theinterconnection of each application to the master transceiver, denotedE/RM, respectively to the slave transceiver, denoted E/RE, theseapplications being respectively denoted AM_(y) for the applicationinterconnected to the master transceiver and AE_(z) for the applicationconnected to the slave transceiver, can be carried out by way of a baselogical flow, it being possible for this base logical flow to betransmitted by the single physical exchange channel, denoted SEPC, theaforesaid base logical flow BLF consisting of a transmission ofcommand/response pairs, denoted (C,R)b on the single physical exchangechannel SEPC.

[0038] Under these conditions, a starting situation, denoted S, asrepresented in FIG. 1a is considered, in which the set of aforesaidparameters has been defined and can correspond in a nonlimiting mannerto the situation in which the master transceiver E/RM is constituted bya CAD reader allowing the execution of at least one application and inwhich the slave transceiver E/RE is constituted by a chip card in whichapplets or services are installed, the base logical flows correspondingto the logical flows defined by the provisions of ISO standard 7816-3and 7816-4 in this situation.

[0039] However, and in accordance with a first use according to theprovisions of the aforesaid standard, a single base flow is consideredas open and active within the framework of the implementation of theprotocol, which is the subject of the present invention represented inFIG. 1a.

[0040] In a more specific manner, as represented in FIG. 1a, theprotocol which is the subject of the present invention, consists inregarding the present active base logical flow BLF as reference logicalflow LF_(r). This operation is carried out in step B of FIG. 1a andillustrated by the relation:

LF_(r)=BLF.

[0041] This step can be performed by allocating a specific value, suchas for example the hexadecimal value FE or the like, to the class codesor parameters of the present active base logical flow.

[0042] Step B is then followed by step C consisting in generating a setof concurrent logical flows {CLF_(x)}. Each concurrent logical flow isformed by successive elementary packets segmenting the command/responsepairs. The successive elementary packets forming the set of concurrentlogical flows {CLF_(x)} are transmitted on the reference logical flowLF_(r) while effecting the segmentation of step D, two concurrentlogical flows of this set allowing the independent and substantiallysimultaneous transmission of distinct command/response pairs. The returnarrow represented in step D illustrates the multiple exchange ofsuccessive packets arising from the segmentation.

[0043] The initiation and the continuation of any exchange ofcommand/response pairs is carried out on the initiative of the mastertransceiver on the basis of specific commands transmitted on thereference logical flow and the segmentation into successive elementarypackets is carried out on the initiative of the slave transceiver on thebasis of specific responses transmitted in response to these specificcommands on this reference flow. The master transceiver can thusmaintain, either the exchange of distinct command/response pairs, bymaintaining the reference logical flow LF_(r) for the execution of anexchange between application and distinct applets, or the exchange ofcommand/response pairs by return to the base logical flow, by withdrawalof the value FE.

[0044] This modus operandi allows the exchange of independent andsubstantially simultaneous command/response pairs between at least onepair of applications of the master, respectively slave transceiver, aswill be described in greater detail later in the description. As far asthe concept of substantially simultaneous transmission of distinctcommand/response pairs is concerned, it is of course understood that theconcept of simultaneity is defined to within the duration oftransmission of successive packets.

[0045] Furthermore, the protocol which is the subject of the presentinvention can be implemented in the presence of a plurality of activebase logical flows. As represented in FIG. 1b, in this situation, duringthe presence of any base logical flow initiated by the mastertransceiver E/RM, this situation corresponding to a starting situation Ssimilar to that of FIG. 1a, the protocol which is the subject of thepresent invention can consist in effecting the transmission of any open,and normally active, base logical flow between the master transceiverand the slave transceiver. This operation can be carried out by a teststep A consisting in verifying the existence of an active base flow BLF*initialized on the initiative of the master transceiver, on request fromany application AM_(y) connected or liable to be connected to the mastertransceiver.

[0046] In FIG. 1b, the corresponding test A is denoted:

[0047] BLF*={φ}

[0048] This test consists in verifying the absence of any active baselogical flow.

[0049] Upon a negative response to the aforesaid test A, an active baseflow being present at the level of the master transceiver, the protocolwhich is the subject of the present invention consists in executing thetransmission of the aforesaid active base logical flow by return to stepS.

[0050] Conversely, on a positive response to the aforesaid test A, noactive base flow being present at the level of the master transceiver,the protocol which is the subject of the present invention can thenconsist in generating, in at least one base flow taken as referencelogical flow, a set of concurrent logical flows.

[0051] In FIG. 1b, step B, similar to that of FIG. 1a, represents thedefinition of a base logical flow BLF_(u) as reference logical flow,denoted LF_(r) by the relation:

LF_(r)=BLF_(u)

[0052] Within the framework of the implementation of the protocol, whichis the subject of the present invention, according to a protocolcompatible with the provisions of the ISO standard 7816-4, thedefinition of the reference logical flow in step B can advantageously beperformed by allocating the specific value, such as for example thehexadecimal value FE or the like mentioned previously, to the classcodes or parameters of the relevant base logical flow.

[0053] Following step B, a set of concurrent logical flows is generatedin step C, similar to that of FIG. 1a, each concurrent logical flow,denoted CLF_(x), and the set of these concurrent logical flows, denoted{CLF_(x)}, is formed by successive elementary data packets, as will bedescribed later in the description. The concurrent logical flows of theaforesaid set of concurrent logical flows {CLF_(x)} allow theindependent and substantially simultaneous transmission of distinctcommand/response pairs between applications connected to the mastertransceiver, applications denoted AM_(p), respectively to the slavetransceiver, applications denoted AE_(q), it being possible for theseapplications to be a priori different or not different from theapplications AM_(y), respectively AE_(z), for which an exchange of datahas previously been performed by means of a base logical flow from theset BLF*.

[0054] In FIG. 1b, the step of independent and substantiallysimultaneous transmission of distinct command/response pairs is denotedD, these command/response pairs being denoted (C,R)_(x) and transmittedaccording to the corresponding concurrent logical flow CLF_(x) on thesingle physical exchange channel SEPC.

[0055] Furthermore, as represented in FIG. 1b, the protocol, which isthe subject of the present invention, consists in suspending theexchange of any concurrent logical flow immediately upon the activationby the master transceiver E/RM for execution of the exchange ofcommand/response pairs on a base logical flow distinct from thereference logical flow on the single physical exchange channel. Thissuspension operation can correspond to a test step E such as representedin FIG. 1b, this test step E possibly corresponding to the same test ofverification of the absence of active base logical flow BLF* as carriedout in step A.

[0056] On a negative response to the test step E, an active base logicalflow initiated by the master transceiver E/RM being present, a return tothe starting step S is carried out for execution of the transmission ofthis active base logical flow.

[0057] Conversely, on a positive response to the test E, a return iscarried out to step B, for redefinition of a reference logical flow and,of course, execution of the multiple exchange process in accordance withsteps B, C and D described above.

[0058] It is thus understood that, by virtue of the implementation ofthe successive steps of the protocol which is the subject of the presentinvention, as represented in FIG. 1b, said protocol makes it possible tocontinue the exchange of any concurrent logical flow immediately uponthe end of the execution of the exchange of any base logical flow.

[0059] This modus operandi allows the exchange of independent andsubstantially simultaneous command/response pairs between at least onepair of applications of the master, respectively slave transceiver onthe single physical exchange channel.

[0060] The protocol, which is the subject of the present invention, asrepresented in FIG. 1b, makes it possible to cater for conflict-freecohabitation, the concurrent logical channels allowing the transmissionof the concurrent logical flows and the base logical channels allowingthe transmission of the base logical flows. In particular it allows onthe one hand, the exchange of independent and simultaneouscommand/response pairs, as mentioned above, between at least one pair ofapplications of the master, respectively slave transceiver, and, on theother hand, the exchange of priority command/response pairs on the baselogical flows on the single physical exchange channel.

[0061] It is thus understood that, when, as will be describedhereinbelow, the base logical flows are defined in such a way as tosatisfy the provisions of ISO standard 7816-4 and when the mastertransceiver is constituted by a CAD reader, whereas the slavetransceiver is constituted by a chip card, at any moment, the CAD readeris able to initiate an exchange of APDU commands on a base logicalchannel. For the duration of this exchange, the other channels,concurrent or otherwise, are then suspended, although without theexchanges currently in progress on the concurrent channels beinginterrupted.

[0062] In the aforesaid specific implementation, it is then advantageousto use the base logical flows and channels to cater for the transmissionof the command/response pairs whose processing requires only arelatively short time.

[0063] A more detailed description of a specific implementation of stepsB, C and D of the protocol, which is the subject of the presentinvention, such as were previously described in conjunction with FIGS.1a, 1 b will now be given with reference to FIGS. 2a, 2 b, 2 c and 2 dwhen, in particular, the aforesaid base logical flows BLF_(u) satisfythe provisions of ISO standard 7816-4.

[0064] Represented in FIG. 2a are a master transceiver and a slavetransceiver, which will be designated as element E/RM respectivelyelement E/RE.

[0065] The exchange of a command/response pair, denoted (C,R), on a baselogical flow BLF_(u), is performed on the single physical exchangechannel SEPC, the element E/RM receiving a command C from theapplication AM_(p) connected to the element E/RM, by way of the pilot P,this element taking control in order to effect the transmission of thecommand C, denoted C=[“COMMAND”], to the slave element E/RE. The elementE/RE having control, transmits the command C to the application AE_(q)connected to the slave element E/RE. The response of the aforesaidapplication R is communicated to the slave element E/RE, which again hascontrol so as to effect the transmission of the response, denotedR=[“RESPONSE”], on the single physical exchange channel SEPC to theelement E/RM, which transmits it to the application AM_(p) by way of thepilot P. In the given example, it is understood that the characterstrings “COMMAND” and “RESPONSE” designate a symbolic command and asymbolic response respectively.

[0066] When the relevant logical flow is a base logical flow BLF_(u),the command/response process can be continued with the execution of thecorresponding commands and responses, in the absence of nesting orinterleaving of the successive corresponding logical flows, inaccordance with the provisions of ISO standard 7816-4.

[0067] Conversely, when the base logical flow is constituted asreference logical flow LF_(r), by allocating the specific class codementioned previously in the description for example, the process forgenerating the successive concurrent logical flows is then carried outon the initiative of the slave element E/RE by a chopping of the dataconstituting an exchange of APDU on the relevant concurrent logicalchannel. This chopping consists of a chopping into more elementary dataunits or segments and of the transmission of these data or commandsegments, on the single physical exchange channel SEPC using ordinaryAPDUs however.

[0068] It is understood in particular that the aforesaid chopping on theinitiative of the slave element E/RE can advantageously be performed inaccordance with a particularly noteworthy aspect of the protocol, whichis the subject of the present invention, by the definition, on theinitiative of the element E/RE by means of a response, of a segmentationorder. This segmentation order can for example define the maximum sizeof the packet of the command transmitted by the master element E/RM inthe guise of partial command or data item. The slave element E/REdefines on its own initiative or on request from the application AE_(q)the maximum size of the packet transmitted in the guise of partialcommand dispatched by the aforesaid master element E/RM. Reciprocally,the slave element defines the actual size of the packet transmitted inthe guise of partial response. It is understood in particular that thechopping of the aforesaid data into data segments or packets makes itpossible to interleave these partial APDUs and thus interleave the datalogical flows, concurrent logical flows flowing on the concurrentlogical flows and the aforesaid concurrent channels.

[0069] An example of segmentation or chopping into successive packets ofa command, respectively of a response constituting a command/responsepair exchanged between an application AM_(p) connected to the masterelement E/RM and an application AE_(q) connected to the slave elementE/RE by way of a concurrent logical flow CLF_(x) will be given, by wayof nonlimiting example, in conjunction with FIG. 2b.

[0070] In the aforesaid figure, it is indicated that thecommand/response pairs used correspond of course, in the aforesaidnonlimiting embodiment, to APDU commands.

[0071] Thus, the application AM_(p) transmits a command C to the masterelement E/RM, this command being denoted:

[0072] C=[“COMMAND”]

[0073] In the aforesaid command, constituting a C-APDU, the characterstring “COMMAND” representing a symbolic command designates any command,normally available in the guise of APDU command. The logical value ofthis command is that which is normally available in the collection ofAPDU commands, the aforesaid character string simply symbolizing thesyntax of this command.

[0074] On receipt of the aforesaid command C by the master element E/RM,the latter having control, transmits to the slave element E/RE aspecific command for notification of command to the slave element E/RE.

[0075] The command notification command is denoted:

[0076] [COMMAND_READY x]

[0077] where x designates the index of CLF_(x).

[0078] On receipt of the aforesaid command notification, the slaveelement E/RE, in conjunction with the application AE_(q) and havingcontrol, transmits a response constituting an order for segmentation ofthe command to be received, the command C cited above.

[0079] The segmentation order is a response of APDU type of the form:

[0080] [RECEIVE_BYTES×NB=3]

[0081] The response, the aforesaid segmentation order, of coursecomprises, in addition to the functional header RECEIVE_BYTES, a fieldrelating to the concurrent flow of index x and a field, designatedarbitrarily in FIG. 2b by NB=3 where NB denotes the maximum number ofbytes or words (characters) which is requested by the slave element E/REin conjunction with the application AE_(q) connected to said element.

[0082] On receipt by the master element E/RM of the segmentation order,the master element E/RM again having control, transmits on the referencelogical flow L_(Fr) a data transmission command comprising of course thenumber of bytes or words which is requested by the slave element E/RE ora lower number.

[0083] The packet transmission command is an APDU command of the form:

[0084] [SEND_DATA×[“COM”]]

[0085] In addition to the functional header SEND-DATA corresponding to adata transmission command and the field relating to the concurrentlogical flow of index x which is the subject of the present invention,this packet transmission command of course comprises a number of bytes,or words, equal to three and corresponding, in the case of the commandC, to the first three letters COM of the arbitrary command “COMMAND”.

[0086] Following the receipt by the slave element E/RE of the aforesaidpacket transmission command, the slave element having control transmitsan APDU type acknowledgement of receipt response designated [OK] in FIG.2b to the master element.

[0087] The master element E/RM again having control, then transmits tothe slave element E/RE a command for continuance of transmission of theexchange of command/response pair of the form:

[0088] [RESUME]

[0089] On receipt of this continuation command, the slave element E/REhaving control, repeats, after processing by the application AE_(q), thedispatching to the master element of the segmentation order response inwhich, for example, the field relating to the requested number of bytesis taken equal to NB=4.

[0090] Following the receipt by the master element E/RM of the aforesaidnew segmentation command, said element transmits a new command fortransmission of a packet, in which command the field of the packettransmitted comprises 4 bytes corresponding to the letters “MAND” of theaforesaid command C.

[0091] Following the receipt of the aforesaid new packet of 4 bytes, theslave element E/RE is then ready, in conjunction of course with theapplication AE_(q) and having control, to transmit a segmented responseof APDU type and of the form:

[0092] [SEND_BYTES×[“RESP”]]

[0093] The aforesaid response comprises a number of transmitted bytes orwords whose choice is at the sole initiative of the slave element E/RE,in conjunction with the application AE_(q) connected to said element. Inthe case of FIG. 2b, the segmented response comprises 4 bytes, or words,that is to say four letters “RESP” corresponding to the first segment ofa symbolic response, “RESPONSE”.

[0094] Following the receipt by the master element E/RM of the aforesaidsegmented response, the latter element, having control, then transmits anew continuation command to the slave element E/RE, thereby allowing theslave element E/RE, in conjunction with the application AE_(q) andhaving control, to dispatch to the master element E/RM a new segmentedresponse comprising a number NB of transmitted bytes or words takenarbitrarily equal to four and corresponding to “ONSE”.

[0095] On receipt of this new segmented response, the master elementE/RM in fact transmits a continuation command to the slave element E/REso as to allow the full transmission of the response until an APDU typeend of response message is transmitted by the slave element E/RE to themaster element E/RM.

[0096] The end of response APDU message is of the form:

[0097] [RESPONSE_COMPLETE x]

[0098] Following the receipt of the end of response message, the masterelement E/RM has the complete response R of the form:

[0099] R=[“RESPONSE”]

[0100] and corresponding therefore to the symbolic response, thecommand/response pair C/R having been transmitted by way of theconcurrent logical flow CLF_(x), on the single physical exchange channelSEPC, in successive packets on the initiative of the slave element E/RE.

[0101] The segmentation of the commands and responses transmitted by theconcurrent logical flows into packets is thus carried out under thesupervision of the slave element, that is to say the chip card itself,in conjunction with the recipient of the transmitted data, that is tosay the applets for example. This modus operandi appears extremelyimportant insofar as it makes it possible to use all the transportprotocols defined by the ISO 7816-4 standard, in particular for thevalue of the transport parameter T=0, for which the exact form of theAPDU, in particular its direction, is ambiguous and constitutes animplicit information element known only to the two parties communicatingon the single physical exchange channel, that is to say, at the end ofthe day, the applications AM_(p) and AE_(q).

[0102] Furthermore, the aforesaid segmentation process, in which theslave element E/RE regularly cedes control to the master element, theCAD reader, makes it possible to manage any asynchronous requests forexchange originating from the applications AM_(p) or AE_(q) connected tothe various concurrent channels.

[0103] As far as the aforesaid segmentation process is concerned, and ofcourse as far as the process for implementing the protocol, which is thesubject of the invention, as represented in FIG. 1, is concerned, it isindicated that the applications AM_(p) and AE_(q) can request theopening of a concurrent channel for transmission of a concurrent logicalflow or of a base channel for the transmission of a base logical flow byway of the pilot, not represented in the drawing, which consists of aspecific computation unit. The pilot can of course communicate with themaster element E/RM and with the applications Am_(p). Each applicationcan moreover, following the opening of a concurrent channel or of a basechannel for the exchange of a concurrent logical flow respectively of abase logical flow, request the exchange of an APDU on this channel andinterrupt the current exchange in the case where the channel isconcurrent or where the logical flow exchanged is a concurrent logicalflow, as represented in FIG. 1.

[0104] Moreover, the segmentation of the data or commands constitutingan exchange of APDU on a concurrent channel, as represented in FIGS. 1and 2b, allows the transmission of these data or command segments on thesingle physical exchange channel, while authorizing the interleaving ofthe command/response pairs constituted by elementary APDUs, and,ultimately, the corresponding interleaving of the concurrent data flowsflowing on the aforesaid concurrent channels, as will be described in aspecific nonlimiting example, in conjunction with FIG. 2c.

[0105] In the aforesaid FIG. 2c, there is considered a nonlimitingexample in which two applications AM_(p) and AM_(p), can be connected tothe master element E/RM by way of the pilot, whereas the slave elementE/RE is connected to a single application for example, which, for thisreason, is not designated as such in FIG. 2c.

[0106] In the aforesaid figure, the application AE_(y), by way of thepilot, not represented, supposedly dispatches a command C=[“COMMAND”] tothe master element E/RM following the request of opening of a concurrentlogical flow CLF_(x).

[0107] With reference to FIG. 2b, the master element E/RM transmits thecommand notification command mentioned previously in the description onthe single physical exchange channel SEPC. The slave element E/REresponds through transmission of a segmentation order response for whichNB is taken equal to 8 arbitrarily by the applet or application executedby the slave element E/RE.

[0108] On receipt of the segmentation order response by the masterelement E/RM, the latter transmits to the slave element E/RE a packettransmission command, comprising a character string comprising eightcharacters corresponding to the number of bytes or words requested bythe slave element, the symbolic command thus being transmitted in full.The slave element E/RE is then able to transmit the acknowledgement ofreceipt command [OK] to the master element. The master element can thencontinue any transmission procedure, either on the concurrent logicalchannel through the transmission of the concurrent logical flow CLF_(x),or on another concurrent logical channel, as will be describedhereinbelow.

[0109] The application AM_(p), executed by the master element E/RM hasrequested the opening of a concurrent logical channel CLF_(x), prior tothe transmission by way of the pilot of a command C′, corresponding tothe symbolic command of the form:

[0110] C′=[“C′O′M′M′A′N′D′”]

[0111] On receipt of the continuation command dispatched by the masterelement E/RM to the slave element E/RE, the latter can then proceed tothe dispatching of a segmented response corresponding to the command C,since, of course, the slave element E/RE does not yet know of theexistence of the command C′ for which, alone, the concurrent logicalchannel has been opened, the corresponding concurrent logical flowCLF_(x) not yet being active.

[0112] By way of nonlimiting example, and for a symbolic response“RESPONSE”, the segmented response transmits a packet by way of partialresponse, consisting of the character string “RESP”.

[0113] The master element E/RM can then proceed, by way of the pilot, tothe activation of the concurrent logical flow CLF_(x), so as toinitialize a nested exchange through the dispatching of the commandnotification command relating to the command C′ mentioned previously.

[0114] On receipt of the command notification command by the slaveelement E/RE, the latter having control, transmits a segmentation orderresponse relating to the command C′ for a number of bytes which isarbitrarily taken equal to NB=4. In response, the master element E/RMtransmits a packet transmission command relating to the command of C′and comprising of course 4 bytes, or characters, these lettersconstituting the character string “C′O′M′M′” of the symbolic command C′.

[0115] The slave element E/RE transmits the acknowledgement of receiptin response.

[0116] The master element E/RM having control, can, by way of the pilot,notify the slave element E/RE of the set of the currently activeconcurrent logical flows, when this set is different from the empty set.This notification can be performed in the form of a continuationcommand, which will be described in greater detail later in thedescription. In response to the continuation command, the slave elementE/RE can then transmit the four missing bytes so as to effect thetransmission of the symbolic response “RESPONSE”, by the segmentedresponse comprising the bytes, or words, “ONSE” on the concurrentlogical stream CLF_(x). The master element E/RM then transmits on thesame concurrent logical channel a continuation command to the slaveelement E/RE, which can then send an end of response command relating tothe command C. On receipt of this end of message command, the masterelement E/RM can send the symbolic response to the command C to theapplication AM_(p) by way of the pilot.

[0117] Moreover, the master element E/RM can then continue, by way ofthe pilot, the multiple exchange process on the concurrent logical flowCLF_(x) for the command/response pairs exchange relating to the commandC′, for which the end of response command has not yet been sent by theslave element E/RE. The concurrent logical flow CLF_(x), opened on theinitiative of the application AM_(p), is again activated by the pilotand, following the receipt of the continuation command by the slaveelement E/RE, the latter can transmit a segmentation order response tothe master element E/RM for a maximum given number of bytes or wordstaken equal to NB=4 and relating to the command C′ initialized by theapplication AM_(p′).

[0118] On receipt of the segmentation order response, the master elementE/RM can then transmit a packet transmission command relating to thecommand C′ and comprising a packet consisting of 3 bytes, the last threebytes or words constituting the character string “A′N′D′” of thesymbolic command C′.

[0119] Following the receipt by the slave element E/RE of the aforesaidpacket transmission command and the dispatching by said element of anacknowledgement of receipt, the master element transmits a continuationcommand so as to obtain a response to the symbolic command.

[0120] In response to this continuation command, the slave element E/REtransmits the entire symbolic response, symbolic response denoted“R′E′S′P′O'N′S′E′” and corresponding to the response to the command C′in segmented response form.

[0121] Following the receipt of the aforesaid segmented response by themaster element E/RM, the latter again transmits a continuation commandto the slave element E/RE, which can then transmit an end of responsecommand relating to the command C′ to the master element E/RM. Thelatter can then proceed to the transmission to the application AE_(y),of the symbolic response formed by the character string[“R′E′S′P′O′N′S′E′”].

[0122] As far as the procedures for opening concurrent channels by wayof the pilot are concerned, it is indicated that this opening can becarried out by way of an APDU command, of Manage Channel type. See ISO7816-4 paragraph 6.16.

[0123] In general, it is indicated that each successive elementarypacket, forming concurrent logical flows, is transmitted by means ofspecific APDU command/response pairs on the single physical exchangechannel.

[0124] Command/response pairs for executing a base logical flow areconstituted by the APDU entities and the distinct command/response pairsare formed preferably by a specific APDU command of Envelope type, and ashort APDU response belonging to a subset of APDU responses.

[0125] On receipt of the special physical C-APDU commands of Envelopetype, the slave element E/RE performs a processing. For example, theslave element, when the latter is constituted by a chip card, canprogress the execution of certain installed applets. It must however,give a response in a relatively short time. The response constituting anR-APDU must take one of the following forms:

[0126] 1. [TIME_OUT]

[0127] the card has simply run out of the time granted without any otherparticular event;

[0128] 2. [GET_HEADER x]

[0129] the card demands the header of the C-APDU of concurrent channelx. The pilot must respond through the physical command [SEND_HEADER×CLAINS P1 P2 P3] to which the card responds through an R-APDU [OK];

[0130] 3. [GET_BYTES x n]

[0131] the card demands the next n bytes of the C-APDU of concurrentchannel x. The pilot responds through a physical command [SEND_DATA x a₁. . . a_(m)] where m≦n may be different from n if this is the lastsegment of incoming data. The card acknowledges receipt through anR-APDU [OK];

[0132] 4. [SET_OUTGOING_LENGTH×Lr]

[0133] the card indicates to the pilot the length of the response R-APDUon concurrent channel x.

[0134] 5. [SEND_BYTES×a₁ . . . an]

[0135] the card dispatches the next n bytes of the R-APDU on concurrentchannel x.

[0136] 6. [STATUS×SW]

[0137] the card indicates the status, that is to say the last two bytes,of the R-APDU on concurrent channel x. The exchange on channel x is thenterminated.

[0138] In all cases, the pilot retakes control after this exchange.

[0139] In the case where the request of the card constitutes a protocolerror, for example in cases 2 to 6 if no exchange is in progress onchannel x or else if the card requests the header twice in the course ofone and the same exchange, the pilot signals the problem to the cardthrough a command [IO_ERROR×code] where the nature of the error isexpressed in the code number.

[0140] A specific processing of a request for exchange by concurrentlogical flow during the long processing of another exchange byconcurrent logical flow is moreover illustrated in FIG. 2d, relating totwo applications AM_(p) and AM_(p), executed by way of the masterelement E/RM.

[0141] With reference to FIG. 2d, there is considered the execution ofthe exchange of a command/response pair on a concurrent logical flowCLF_(x) for a command C=[COMMAND”] executed on the initiative of theapplication AE_(Y).

[0142] In such a case, following the opening of concurrent logical flowCLF_(x), this concurrent logical flow being rendered active by thepilot, the execution of the exchanges can be carried out under conditionof execution within the time granted to the slave element E/RE.

[0143] For the execution of the exchange, any partial execution of theslave element E/RE running out of the time granted to the latter withoutany other particular event forms the subject of the dispatching by theslave element E/RE of a response of R-APDU type of the form:

[0144] [TIME_OUT]

[0145] and of the dispatching of a continuation command by the masterelement E/RM. This process can be continued for the active concurrentlogical flow CLF_(x) for various successive time slices used by theslave element E/RE.

[0146] On receipt by the master element E/RM of a command C′ on theinitiative of another application AM_(p′), the opening of the concurrentlogical flow CLF_(x′), this concurrent logical flow being renderedactive by the pilot, allows the transmission of a command notificationrelating to the command C′ on the concurrent logical channel supportingthe concurrent logical flow CLF_(x), to the slave element E/RE. Theprocess for transmitting a response [TIME_OUT] can then be continued forthe execution of the command C′ on the concurrent logical flow CLF_(x),for the execution of the transmission of commands C, respectively C′.

[0147] The protocol, which is the subject of the present invention,allows the processing of asynchronous requests for exchange betweenapplications executed by way of the master element E/RM as well as thoseof the applets or services executed by way of the slave element E/RE.

[0148] With reference to FIG. 1b, when these requests relate to the baselogical flows and the corresponding base logical channels, in this case,the set of concurrent logical channels and concurrent logical flows issuspended until the receipt of the response relating to the base logicalflows.

[0149] However, asynchronous requests for exchange may also relate tothe dispatching of a C-APDU command on a free concurrent channel. Inthis case, the pilot, by way of the master element E/RM dispatches acommand notification command to indicate that a C-APDU type command isavailable on the logical channel and the relevant concurrent logicalflow CLFX. The notification command can, by way of nonlimiting example,then trigger the execution of the recipient applet on the slave elementE/RE.

[0150] When the pilot has control, by way of the master element E/RM,but no asynchronous exchange request is arriving at said element,although, however, an exchange is still in progress on one of theconcurrent channels, the continuation of execution is carried outthrough the dispatching of a C-APDU type command, that is to say throughthe continuation command previously mentioned in the description.

[0151] Under these conditions, the slave element E/RE must cede controlwithin a relatively short time, so as to be able to process theasynchronous requests as fast as possible.

[0152] Ultimately, with reference to FIGS. 1 and 2b, the protocol, whichis the subject of the present invention, can, preferably, be implementedon the basis of two specific commands, commands of the C-APDU type, andthree specific responses, of R-APDU type.

[0153] The first specific command consists of the command notificationcommand, allowing the master element E/RM to notify the slave elementE/RE of the existence of the set of currently active concurrent logicalflows. It is understood that in the examples given in FIGS. 2b and 2 cin particular, each command notification command comprised a singleactive concurrent logical flow, CLFX respectively CLF_(x′), so as not toneedlessly overburden the description, but that several concurrentlogical flows may as appropriate be active simultaneously, thetransmission on the single physical exchange channel of the concurrentlogical flows not however, being executable other than successively. Thecommand notification command can in fact consist of:

[0154] the command CI_(a) formed by the command [COMMAND_READY x];

[0155] the command CI_(b) formed by the command [RESUME];

[0156] The commands CI_(a) and CI_(b) make it possible to notify theslave element E/RE of the availability of the master element E/RM forthe execution or the continuation of an exchange on a concurrentchannel.

[0157] The second specific command, consisting of the packettransmission command, makes it possible to dispatch from the mastertransceiver to the slave transceiver, an elementary packet. This secondspecific command, denoted C_(II) is dispatched on receipt of the firstspecific response, denoted R_(I), constituting the segmentation order,dispatched by the slave transceiver in response to one of the first orsecond specific commands. The second specific command C_(II) isdispatched, on receipt of the first specific response emanating from theslave element E/RE, to one of the first C_(Ia), C_(Ib), respectivelysecond C_(II) specific commands, and makes it possible to transmit, fromthe master element E/RM to the slave element E/RE, an elementary packetrelating to the currently active command for one of the concurrentlogical flows of the set of concurrent logical flows, which isdesignated in the first specific response R_(I). The chopping of thecurrently active command into successive packets, the command C in FIG.2b, for example, is carried out on the initiative of the slavetransceiver by specification in the first specific response R_(I),constituting the segmentation order of the maximum size of the packettransmitted in the second specific command C_(II).

[0158] The second specific response R_(II) constituting the segmentedresponse makes it possible to dispatch from the slave element E/RE tothe master element E/RM an elementary packet of the response on acurrently active concurrent logical flow, which is designated in thesecond specific response R_(II)

[0159] Finally, the third specific response R_(II) consists of a simpleresponse, the end of specific command/response pair response sent fromthe slave element E/RE to the master element E/RM.

[0160] Thus, the continuation of the exchange of successive packets iscarried out on the initiative of the master element E/RM on dispatch bythe latter of the first specific command, and in particular the commandnotification command C_(Ia). This continuation is, however, conditionedon the absence of any active base logical flow as represented in FIG.1b.

[0161] Conversely, the existence of an active base logical flowconditions the priority transmission of this active base logical flow onthe single physical exchange channel by the master element E/RM, asrepresented in FIG. 1b.

[0162] The set of steps of the protocol, which is the subject of thepresent invention, allows the exchange of independent command/responsepairs, the response pairs C,R, respectively C′,R′, as illustrated inFIG. 2c.

[0163] A more detailed description of a system for tracking andmonitoring execution of applets installed on a computer system, such asan embedded computer system, furnished with at least one memory, with anexecution automaton and with an operating system, one at least of theinstalled applets being intended for exchanging specific informationwith at least one application executed by computer furnished withanother operating system, will now be given in conjunction with FIGS.3a, 3 b and the following figures.

[0164] In a general manner, it is indicated that the system for trackingand monitoring execution of applets, in accordance with the subject ofthe present invention, implements the protocol for transmission of aplurality of logical flows for multiple exchange of command/responsepairs on a single physical exchange channel between a the master elementE/RM and a the slave element E/RE described previously, so as to caterfor a process for tracking and monitoring execution of applets, that isto say for debugging the latter.

[0165] As represented in the aforesaid FIG. 3a, the system which is thesubject of the present invention comprises at least, in addition to theembedded computer system, constituted for example by a chip card 1, andthe application 2 executed by a computer furnished with a specificoperating system, a pilot module 3 for tracking and monitoringexecution, that is to say for debugging, any applet installed on theembedded computer system 1. The pilot module 3 is on the one hand,linked to the application 2 by a link denoted L₂₃ and, on the other handby way of a single physical exchange link of command/response type, linkdenoted L₁₃ to the embedded computer system 1.

[0166] The execution tracking and monitoring system, which is thesubject of the present invention, also comprises an execution trackingand monitoring module 4 interconnected to the pilot module 3 by way of alink L₃₄, this execution tracking and monitoring module being intendedto monitor the execution of the execution automaton of the embeddedcomputer system 1.

[0167] More specifically, it is indicated that the embedded computersystem 1 comprises an operation system OS, an execution automaton,denoted AUT, which, in a specific embodiment in the JAVACARDenvironment, may be constituted by a virtual machine VM of JCVM type forexample.

[0168] Of course, the embedded computer system 1 comprises, installed ina nonvolatile memory, distinct applets, denoted App₁ . . . App_(x) . . .App_(N), these applets being a priori independent.

[0169] Finally, the embedded computer system 1 comprises an agent modulefor tracking and monitoring execution of the execution automatoninstalled in nonvolatile memory of the embedded computer system 1.

[0170] In an especially advantageous nonlimiting embodiment, it isindicated that the embedded computer system 1 is an embedded systemconstituted by a chip card, or microprocessor, the pilot module 3comprising a CAD reader with microprocessor and the single physicalexchange link of command/response type, constituted by the link L₁₃ isconstituted by an ISO 7816 type link.

[0171] More specifically, it is indicated that the single physicalexchange link of command/response type, makes it possible to performmultiple exchanges, in accordance with the protocol, describedpreviously in the description, which is the subject of the presentinvention.

[0172] As far as the links L₂₃ and L₃₄ are concerned, it is indicatedthat the link L₂₃ can be embodied as an ISO 7816 type link or as asoftware layer compatible with the software libraries PC/SC, or OCF forexample. The software libraries PS/SC form the subject of the referencedocuments Interoperability Specification for ICCs and Personal ComputerSystems, version 1.0, December 1997, parts 1 to 8 published by PC/SCWorkgroup and accessible at the address [www.pcsworkgroup.com], and theOCF (OpenCard Framework) software libraries of a reference documentOpencard Framework 1.1.1 . . . Programmer's Guide, 3^(rd) Edition, April1999, published by OpenCard Consortium and available at the address[www.opencard.org]. However, in the case of the implementation of thelink L₃₄, this link may advantageously be embodied by means of the JDWPprotocol specified by SUN MICROSYSTEMS INC. in the document JAVA™ DebugWire Protocol accessible at the address[http://java.sun.com/products/jpda/doc/jdwp-spec.html] and deliveredtogether with the “Java2SDK, v 1.3.0” software by SUN. Theimplementation of such a protocol makes it possible to use any executiontracking and monitoring tool adapted to this protocol.

[0173] Moreover, as represented in FIG. 3b, the execution automaton AUTcan comprise a virtual machine, denoted VM, with which is associated anapplication interfacing library API.

[0174] Finally, the agent module 5, installed in the nonvolatile memoryof the embedded computer system, comprises a software agent module fortracking and monitoring execution of the exchange between theapplications and applets.

[0175] The general manner of operation of the assembly is as follows:the pilot module 3 uses two concurrent logical channels to cater for theexchange of implicitly open corresponding concurrent logical flows. Afirst concurrent logical flow is used to communicate with one of theapplets App_(x) for example, in execution tracking and monitoring modedesignated debugged mode.

[0176] The second concurrent logical flow is used to transmit the eventsoriginating from the virtual machine VM when, for example, this virtualmachine reaches a stopping point or when it executes any operation thatthe execution tracking and monitoring module 4 has requested bemonitored or followed.

[0177] Finally, a non-concurrent logical channel, allowing the exchangeof a default non-concurrent logical flow, is then used to monitor theexecution of the virtual machine VM and to access the internal state ofthe latter.

[0178] The pilot module 3 takes into account the successive retaking ofcontrol of the master element E/RM in order to process the asynchronousstopping requests transmitted by the execution tracking and monitoringmodule 4. If an asynchronous stopping request such as this has arrivedat the pilot module and if the latter has retaken control, asrepresented diagrammatically during the implementation of the protocol,which is the subject of the present invention, in conjunction with FIG.2b or 2 c, then the execution of the virtual machine VM is suspended.The master element E/RM then transmits the continuation command by wayof the pilot module 3 only at the moment at which the user, that is tosay the execution tracking and monitoring module 4 controlled by thelatter, requests that execution be continued.

[0179] The concrete implementation of the execution tracking andmonitoring system, which is the subject of the present invention, canmake it possible to optimize the format of the APDU commands andresponses actually used. For example, to undertake the execution of aninstruction, it is in principle necessary firstly to use a monitoringcommand on the base channel making it possible to route the aforesaidbase logical flow, so as to indicate to the embedded computer system 1the next execution proper by the continuation command [RESUME]. Thesetwo commands may be replaced by a single command, such as the command[STEP].

[0180] The modus operandi of the pilot module 3 is then as follows:

[0181] the pilot module caters for the command of monitoring and ofmanagement of the agent module 5 by way of specific command/responsepairs, of the APDU type, and designated in the application considered todebugging, for this reason, DPDU, standing for Debug Protocol Data Unit.With this aim, the agent module prompts the exchange of the aforesaidDPDU messages with each transition of input/output I/O performed by theautomaton, that is to say of call to the input/output functions by thevirtual machine VM. The DPDU messages comprise packets of the command orof the response between application and applet, as described previouslyin the description in conjunction with FIG. 2b or 2 c.

[0182] the pilot module 3 moreover suspends, on request from theexecution tracking and monitoring module 4, on the initiative of theuser, the execution of the execution automaton AUT, that is to sayeventually of the virtual machine VM, during input/output exchanges andwhen this execution automaton executes no input/output transition for aspecified time chosen by the aforesaid user. Following the previouslymentioned execution, the pilot module 3 transmits specificcommand/response pairs, DPDU messages, to the agent module 5 so as tomonitor the state of the execution automaton, then to prompt thecontinuation of the execution of the aforesaid execution automaton AUT.

[0183] A comparative description of the modus operandi of the processfor tracking and monitoring execution of applets, in the absence of anydebugging mode, that is to say for normal execution substantially inaccordance with the execution of a virtual machine of the prior art,with reference to FIG. 4a, respectively in debugging mode, by virtue ofthe implementation of the system and of the protocol, which are thesubjects of the present invention, with reference to FIGS. 4b and 4 c,will now be given.

[0184] With reference to FIG. 4a, it is indicated that, on the embeddedcomputer system 1, that is to say the corresponding chip card, accessesto the inputs/outputs I/O of the virtual machine VM involve calls to asmall number of functions of the operating system OS which areconsidered to offer services equivalent to the interface library APIassociated with the virtual machine of JAVA CARD type. On themicroprocessor card, constituting the embedded computer system 1, theagent 5 for monitoring and tracking execution is set up between theoperating system OS and the virtual machine VM. This setup isrepresented in FIG. 3b. When it is activated, the agent module 5intercepts all the calls to these I/O input/output functions andtransforms each of these calls into an exchange of DPDU with the pilotmodule 3.

[0185] For normal executions, that is to say in the absence of anydebugging mode, as represented in FIG. 4a, the terminal allowingexecution of the application 2 dispatches for example a command composedof 5 bytes, or words, of incoming data C₁, C₂, C₃, C₄, C₅. The appletconcerned accesses the incoming data through two calls to the Get Bytesmethod allowing the transfer of the words C₁, C₂, then C₃, C₄, C₅, thentransmits the four response words of a single operation, the words R₁,R₂, R₃, R₄.

[0186] Because of the half duplex nature of the ISO 7816 protocol, thechip card constituting the embedded computer system 1 keeps controlthroughout the duration of the exchange. It is then not possible tointerrupt execution, other than by cutting the supply to the card.

[0187] When, on the other hand, one switches to debugging mode, inaccordance with the implementation of the applet tracking and monitoringsystem, which is the subject of the present invention, as represented inFIGS. 3a and 3 b, the modus operandi is as follows, with reference toFIG. 4b.

[0188] In the aforesaid figure, the DPDU commands exchanged between thepilot module 3 and the agent module 5 are represented between squarebrackets. The agent module 5 behaves with regard to the operating systemOS like a normal application and accesses these DPDU commands with thesame functions as those used by the applet when the latter is executedin non-debugged mode. These functions are none other than the GET_BYTESand SEND_BYTES functions as well as the functions described previouslyin the description in respect of the implementation of the protocolwhich is the subject of the present invention. The benefit of cuttingthe exchange of a single command/response into severalcommands/responses compatible with the ISO 7816 protocol is as follows:between two successive partial exchanges, the input/output channel isfree for other exchanges between the pilot module 3 and the agent 5.Such exchanges are invisible to the applet and, of course, to theterminal executing the application 2. These exchanges make it possibleto monitor the execution of the virtual machine VM and to access theinternal state of the latter.

[0189] When the virtual machine VM reaches a stopping point between twocalls to the input/output functions, the chip card, by way of the agentmodule 5, cedes control to the pilot module 3, thereby allowing theexecution tracking and monitoring module 4 to inspect the state of thevirtual machine VM by way of appropriate commands.

[0190] Represented in FIG. 4c by way of nonlimiting example is theexecution tracking and monitoring module 4 requesting the value of avariable x. Such an exchange is completely valid physically, since thisexchange comprises only well-formed C-APDU and R-APDU commands. Suchwould not be the case if the exchange in progress between the terminalexecuting the application 2 and the applet installed in the embeddedsystem 1 had had to be interrupted.

[0191] It is thus understood that the inspection of the state of thevirtual machine VM is therefore executed when this virtual machine issuspended, on the initiative of the module 4 for tracking and monitoringexecution by read/write command of the memory of the computer system 1.

[0192] Through such a process for tracking and monitoring execution,that is to say debugging, it is thus possible to multiplex the datawhich are exchanged between the terminal allowing the execution of theapplication 2 and the applet App_(x), on the one hand, and between thepilot module 3 and the tracking and monitoring agent module 5, on theother hand.

[0193] Such a modus operandi makes it possible to obtain:

[0194] a total absence of effect on the implementation of the operatingsystem OS, the agent module 5 plus virtual machine VM assembly behavinglike an application like any other. In particular, this modus operandidoes not necessitate the existence of a second physical communicationchannel;

[0195] a limited effect on the implementation of the virtual machine,since it is sufficient to replace the calls to a small number offunctions of the operating system OS by calls to equivalent functions inthe agent module 5.

[0196] Finally, the system for tracking and monitoring execution ofapplets and the protocol, which are the subject of the presentinvention, are especially well suited to the execution of asynchronousstoppings of execution of the virtual machine.

[0197] Specifically, it is desirable to be able to stop the execution ofthe virtual machine VM at any moment when, for example, the applet isengaged in a lengthy or endless computation. Having regard to the natureof the link L₁₃, it is not possible to pass control to the tracking andmonitoring agent module 5 and to wait for the latter to terminate theexecution or for the applet App_(x) to proceed with the execution of aninput/output, the agent module 5 being able to cede control only underits own initiative.

[0198] The solution proposed, in accordance with the implementation ofthe system and of the protocol, which are the subject of the invention,then consists in employing a command which launches the execution of thevirtual machine VM, for a specified duration T on completion of whichthe agent module 5 cedes control to the pilot module 3, which then hasthe opportunity of suspending execution, or of resuming it, if nosuspension request has occurred meanwhile. This process of execution fora specified duration corresponds to the process of FIG. 2d between themaster element E/RM, constituted by the application 2 and by the pilotmodule 3, and the slave element E/RE constituted by the embeddedcomputer system 1, and in particular the tracking and monitoring agent5. The pilot module 3 can then resume the execution if no suspensionrequest originating from the execution tracking and monitoring modulehas occurred meanwhile.

[0199] At the level of the embedded computer system 1, constituted by achip card, the implementation of such a command for execution for aspecified time can be carried out through the use of a system timedowncounter or a simple counter decremented with each instruction to beexecuted. The precise duration T of execution can be arbitrary, providedthat it is finite, that is to say that the agent module 5 finishes byceding control. The order of magnitude of the value of T of duration ofexecution determines the reactivity of the system to interrupt requests.The shorter the value of T, the faster the system can interruptexecution. The value of the duration T also determines the overallefficiency of the assembly, since an APDU exchange exists for eachexecution of duration T. The determination of the order of magnitude ofduration T can therefore be performed as a function of requirements, onthe initiative of the user.

[0200] Finally, the system for tracking and monitoring execution ofapplets, which is the subject of the invention, also makes it possibleto execute the code of an applet source code line by source code line.In general, the lookup table of correspondence between program counterand index number of the lines of the aforesaid source code cannot bestored on the embedded system 1, formed by the chip card, and it isvital to minimize the monitoring exchanges.

[0201] The solution allowed by the system and the protocol, which arethe subject of the present invention, consists in associating a programscounter interval for each line of source. This table can be computed bythe compiler and stored outside the embedded system 1 in a memory areaaccessible to the pilot module 3. This accessible memory area can forexample be situated in the execution tracking and monitoring module 4.For each line-by-line execution request, the interval corresponding tothe current line is transmitted together with the command. For eachinstruction, the execution of the virtual machine VM is diverted into acode element of the tracking and monitoring agent 5, which then testswhether the programs counter is indeed still in the relevant interval.When this interval is exceeded by the latter, it is because executionhas reached a different line from the current line and the agent module5 cedes control to the pilot module 3.

[0202] It is thus possible to transmit the information important to eachline-by-line execution request without however, having to store thetable of lines on the embedded computer system 1.

[0203] Similar stopping conditions involving the size of the stack ofthe virtual machine allow the simple implementation of other types ofsymbolic execution, such as execution of a line while skipping themethod calls or exit from the current method for example.

1. A process for the transmission of a plurality of logical flows formultiple exchange of command/response pairs on a single physicalexchange channel (L13) between a master transceiver (2, 3) and a slavetransceiver (5), these logical flows comprising at least one baselogical flow, initiated by the master transceiver, subject to the samemaster/slave relation as said single physical exchange channel, themaster respectively slave transceiver allowing the execution of at leastone software application, characterized in that this process consists ingenerating in the one of the base logical flows taken as referencelogical flow, a set of concurrent logical flows, each concurrent logicalflow being formed by successive elementary packets segmenting thecommand/response pairs, said successive elementary packets forming theset of concurrent logical flows being transmitted on said referencelogical flow, two concurrent logical flows of this set allowing theindependent and substantially simultaneous transmission of distinctcommand/response pairs, the initiation and the continuation of anyexchange of command/response pairs being carried out on the initiativeof the master transceiver on the basis of specific commands transmittedon this reference flow and the segmentation into successive elementarypackets being carried out on the initiative of the slave transceiver onthe basis of specific responses transmitted in response to thesespecific commands on this reference flow, thereby allowing the exchangeof independent and substantially simultaneous command/response pairsbetween at least one pair of applications of the master, respectivelyslave, transceiver.
 2. The process as claimed in claim 1, characterizedin that, for logical flows comprising a plurality of base logical flows,this process consists: a) in generating in at least one base logicalflow taken as reference logical flow, a set of concurrent logical flows,each concurrent logical flow being formed by successive elementarypackets segmenting the command/response pairs, said successiveelementary packets forming the set of concurrent logical flows beingtransmitted on said reference logical flow, two concurrent logical flowsof this set allowing the independent and substantially simultaneoustransmission of distinct command/response pairs, the initiation and thecontinuation of any exchange of command/response pairs being carried outon the initiative of the master transceiver on the basis of specificcommands transmitted on this reference flow and the segmentation intosuccessive elementary packets being carried out on the initiative of theslave transceiver on the basis of specific responses transmitted inresponse to these specific commands on this reference flow; b)suspending the exchange of any concurrent logical flow, upon theactivation by said master transceiver of a base logical flow, forexecution of an exchange of command/response pairs on this base logicalflow distinct from the reference logical flow on said single physicalexchange channel; c) continuing the exchange of any concurrent logicalflow immediately upon the end of the execution of the exchange of anybase logical flow, thereby allowing, on the one hand, the exchange ofindependent and substantially simultaneous command/response pairsbetween at least one pair of applications of the master, respectivelyslave transceiver, and on the other hand, the exchange of prioritycommand/response pairs on said base logical flows on said singlephysical exchange channel.
 3. The process as claimed in one of claims 1or 2, characterized in that said distinct command/response pairs areformed from at least one first and one second specific command and froma first, a second and a third specific response, the first specificcommand allowing the master transceiver to notify the slave transceiverof the existence of the set of currently active concurrent logicalflows; the second specific command, dispatched on receipt of the firstspecific response from the slave transceiver to one of the firstrespectively second specific commands, making it possible to dispatchfrom the master transceiver to the slave receiver, an elementary packet,relating to the currently active command of one of the concurrentlogical flows of this set of concurrent logical flows which isdesignated in this first specific response, the chopping of saidcurrently active command into successive packets being carried out onthe initiative of the slave transceiver by specification, in this firstspecific response, of the maximum size of the packet transmitted in thiscommand; the second specific response making it possible to dispatch,from the slave transceiver to the master transceiver, an elementarypacket of the response on a currently active concurrent logical flowdesignated in this second specific response; the third specific responseconsisting of a simple response of end of specific command/response pairsent from the slave transceiver to the master transceiver, thecontinuation of the exchange of successive packets being carried out onthe initiative of the master transceiver on return by the latter of saidfirst specific command.
 4. The process as claimed in one of claims 1 to3, characterized in that said base logical flows are constructedaccording to the ISO 7816-3 and ISO 7816-4 process, the command/responsepairs being formed by command (C-APDU) respectively response (R-APDU)APDU entities.
 5. The process as claimed in claim 4, characterized inthat the master transceiver is constituted by a chip card reader and atleast one application connected to this reader and the slave transceiveris constituted by a multi-application chip card.
 6. The process asclaimed in one of claims 1 to 5, characterized in that each of theconcurrent logical flows can be closed respectively opened on theinitiative of said master transceiver.
 7. The process as claimed in oneof claims 4 to 6, characterized in that each successive elementarypacket forming said concurrent logical flows is transmitted by means ofspecific APDU command/response pairs on said single physical channel. 8.The process as claimed in claims 4 and 7, characterized in that thecommand/response pairs for executing a base logical flow beingconstituted by APDU entities, the distinct command/response pairs areformed by a specific APDU command of Envelope type and a short APDUresponse belonging to a subset of APDU responses.
 9. A system fortracking and monitoring execution of applets installed on a computersystem (1) furnished with at least one memory, with an executionautomaton and with an operating system, one at least of these appletsbeing intended to exchange specific information with at least oneapplication (2) executed by a computer furnished with another operatingsystem, characterized in that it comprises at least: pilot means (3) fortracking and monitoring execution which are linked, on the one hand, tosaid application (2), and, on the other hand, to said computer system(1) by way of a single physical exchange link (L13) of command/responsetype; means (4) for tracking and monitoring execution which areinterconnected with said pilot means and are intended to monitor theexecution of said execution automaton of said computer system (1); anagent module (5) for tracking and monitoring execution of the executionautomaton installed in said computer system (1), said pilot means (3)effecting the control of monitoring and of management of the agentmodule by way of specific command/response pairs, DPDU messages, on thesingle physical exchange channel, with each input/output transition,said agent module (5) prompting the exchange of DPDU messages comprisingpackets of the command or of the response between applications andapplets; said pilot means (3) suspending, on request from the means (4)for tracking and monitoring execution, the execution of the executionautomaton during input/output exchanges and when this executionautomaton executes no input/output transition for a specified time, saidpilot means (3) then having regained control, and, following thesuspension of this execution, said pilot means (3) transmitting specificcommand/response pairs, DPDU messages, to the agent module (5) so as toaccess the state of the execution automaton then prompt the continuationof the execution of this execution automaton by means of a specificcommand.
 10. The system as claimed in claim 9, characterized in thatsaid computer system (1) is an embedded system constituted by amicroprocessor card, and in that said pilot means comprising amicroprocessor card reader, said physical exchange link ofcommand/response type is an ISO 7816 link.
 11. The system as claimed inone of claims 9 or 10, characterized in that said means (4) formonitoring execution comprise at least one means for controlling readingof the memory of said computer system (1).
 12. The system as claimed inone of claims 9 to 11, characterized in that said means (4) formonitoring execution furthermore comprise means for monitoring theexecution of the execution automaton of said computer system (1). 13.The system as claimed in one of claims 9 to 12, characterized in thatsaid means (4) for monitoring execution furthermore comprise means forcontrolling writing of the memory of said computer system (1).
 14. Thesystem as claimed in claims 9, 11 and 12, characterized in that saidmeans (4) for monitoring execution are linked to said pilot means (3) bya JDWP protocol, thereby making it possible to use any tracking andmonitoring tool adapted to this protocol.
 15. The system as claimed inclaims 9 and 10, characterized in that said execution automatoncomprises a virtual machine and an application interfacing library(API).